keycloak/keycloak 26.6.1 Release Notes

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

• #47276 CVE-2026-4366 Blind Server-Side Request Forgery (SSRF) via HTTP Redirect Handling core
• #47619 CVE-2026-4633 Keycloak user enumeration via identity-first login core

Enhancements

• #47839 Update CloudNativePG to 1.29
• #47909 Database data at rest encryption

Bugs

• #47435 AuroraDB IT CI workflow not cleaning up databases testsuite
• #47737 deploy-testsuite profile is incomplete, causing discrete testsuite execution to fail testsuite
• #47776 False session type of access token in offline_access refresh token flow with scope parameter without offline_access scope oidc
• #47827 az vm create fails with JSON parsing error ci
• #47872 v26.6.0 Operator flood logs with warnings operator
• #47889 Not possible to sync latest keycloak-admin-client to keycloak-client admin/client-java
• #47904 @keycloak/keycloak-admin-client fails to install in version 26.6.0 admin/client-js
• #47905 invalid package reference in keycloak-admin-ui admin/ui
• #47908 MigrateTo26_6_0 modifies custom browser flows, breaking existing realm authentication organizations
• #47929 User profile multiselect options not highlighted as selected in dropdown admin/ui
• #47955 IdentityProviderAuthenticator creates an infinite redirect loop when an IdP returns an error (e.g. access_denied) and the login was initiated with kc_idp_hint identity-brokering
• #48015 Missing explicit docs anchor for organizations docs
• #48032 Endpoint Response Text during Bootstrap contains Typo: Boostrap dist/quarkus